Microsoft Planning To End Basic Authentication for Exchange Web Services in 2020

Microsoft announced earlier this month that it's planning to deprecate the Exchange Web Services API for Office 365 users.

The July 3 announcement by Yina Arenas, Microsoft Graph program manager, also explained that support for the Basic Authentication scheme that's used with Exchange Web Services will end on Oct. 13, 2020. This hard stopping point for Basic Authentication will be problematic for organizations with custom apps that use the scheme, according to an FAQ section within an Exchange team announcement. Essentially, such apps will "fail to connect" on that date if they use Basic Authentication.

The Oct. 13, 2020 end date also is a notable for another reason, according to the Exchange team. It's the date when perpetual-license Office products that are out of "mainstream support" will lose connections to various Office 365 services, such as OneDrive for Business and Skype for Business. Microsoft had announced this seemingly arbitrary policy change back in April of last year, which applies only to so-called "boxed" Office products that follow the perpetual licensing model, such as Office 2016. The coming Office 2019 perpetual-license product, currently available as a "commercial preview" for volume licensing customers, will exit mainstream support in 2023, according to Microsoft's plans, so it will still be capable of connecting to Office 365 services.

Instead of using Exchange Web Services, Microsoft is recommending that organizations switch to the Microsoft Graph to access Exchange Online data. They also should switch to using OAuth 2.0 for Exchange Online authentications in their applications, which is a "more secure and reliable" means of accessing data than Basic Authentication, according to Arenas. The Microsoft Graph and OAuth 2.0 protocols also provide "access to the latest features and functionality," she added.

Exchange Web Services will continue to be available, even though Microsoft is deprecating it, which means it'll no longer actively develop the service. Security updates and nonsecurity updates, though, will continue to arrive for Exchange Web Services, even though Microsoft has no plans to add new features.

Organizations can continue to use Exchange Web Services in production environments. The main catch concerns Basic Authentication, which has a hard stopping point. Organizations that have "hybrid" Exchange setups (that is, they use both Exchange Server and Exchange Online together) are currently using Exchange Web Services to call into Exchange Online, but such setups don't use Basic Authentication, so they won't be affected by Microsoft's policy change, according to the Exchange team's FAQ.

Microsoft's policy change will mostly affect organizations that are using Basic Authentication with their applications, as well as Office 2016 or older perpetual-license versions of Office. Other organizations likely aren't affected. Here's how the Exchange team FAQ characterized the matter:

If you only [use] Outlook to connect to Exchange Online then you don't need to worry, as long as you are using Office 2019 or Office 2019 Pro Plus you'll be fine come October 2020. However, if you also have integrated apps into your Office 365 tenant you'll need to check with the application developers to verify how it authenticates to Exchange Online if you aren't sure.

Possibly, Microsoft will be able to detect such applications that use Basic Authentication. "We are investigating how we can share this information with tenant admins," the Exchange team's FAQ stated.

Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol in supported Windows systems to implement some configuration changes manually.